IKEv2 VPN connections fail to use DNS servers provided by the server

Proposed patch: https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=ee8c2551

I was about to apply the patch on merge, but realized it was already part of our April change in Debian. So just mark the changelog of the merge to fix this as well.

This bug was fixed in the package strongswan - 5.6.2-2ubuntu1

---------------
strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium

  * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
    Remaining changes:
    + Clean up d/strongswan-starter.postinst: section about runlevel changes
    + Clean up d/strongswan-starter.postinst: Removed entire section on
      opportunistic encryption disabling - this was never in strongSwan and
      won't be see upstream issue #2160.
    + d/rules: Removed patching ipsec.conf on build (not using the
      debconf-managed config.)
    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
      used for debconf-managed include of private key).
    + Mass enablement of extra plugins and features to allow a user to use
      strongswan for a variety of extra use cases without having to rebuild.
      - d/control: Add required additional build-deps
      - d/control: Mention addtionally enabled plugins
      - d/rules: Enable features at configure stage
      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
      - d/libstrongswan.install: Add plugins (so, conf)
    + d/strongswan-starter.install: Install pool feature, which is useful since
      we have attr-sql plugin enabled as well using it.
    + Add plugin kernel-libipsec to allow the use of strongswan in containers
      via this userspace implementation (please do note that this is still
      considered experimental by upstream).
      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
      - d/control: List kernel-libipsec plugin at extra plugins description
      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
        upstream recommends to not load kernel-libipsec by default.
    + Relocate tnc plugin
     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
    + d/libstrongswan.install: Reorder conf and .so alphabetically
    + d/libstrongswan.install: Add kernel-netlink configuration files
    + Complete the disabling of libfast; This was partially accepted in Debian,
        it is no more packaging medcli and medsrv, but still builds and
        mentions it.
      - d/rules: Add --disable-fast to avoid build time and dependencies
      - d/control: Remove medcli, medsrv from package description
    + d/control: Mention mgf1 plugin which is in libstrongswan now
    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
      libstrongswan-extra-plugins (no deps from default plugins).
    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
      plugins for the most common use cases from extra-plugins into a new
      standard-plugins package. This will allow those use cases without pulling
      in too much more plugins (a bit like the tnc package). Recommend that
      package from strongswan-libcharon.
  * Dropped Changes (no more needed after 18.04)
    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
      missed that, droppable after 18.04)
    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
      libstrongswa...

I'm seeing the merge is going into cosmic. How can I request to have this fix in bionic as well?

We're still seeing this issue in Bionic, strongswan-nm 5.6.2-2ubuntu1. Are there any plans to push to Bionic? Many thanks.

Did not mean to change info type - clumsy fingers.

Hello.
I can't install version with bugfix - 5.6.2-2ubuntu1 on Ubuntu 18.04. Because it is absent in repository.

There are only such versions:

apt-show-versions -a strongswan
strongswan:all 5.6.2-1ubuntu2.4 install ok installed
strongswan:all 5.6.2-1ubuntu2 bionic ru.archive.ubuntu.com
strongswan:all 5.6.2-1ubuntu2.3 bionic-security security.ubuntu.com
strongswan:all 5.6.2-1ubuntu2.4 bionic-updates ru.archive.ubuntu.com
No stable version
strongswan:all/bionic-updates 5.6.2-1ubuntu2.4 uptodate

Could you please add 5.6.2-2ubuntu1 to the repository?

Still seeing this on Ubuntu 18.04 LTS.
Updated package is not available.

So is this going to be fixed in the near future?

Or should I, after trying to fix the VPN of a 18.04 user for some time yesterday, just tell them to always be on the latest instead of LTS?

Do you have an estimated date on release the fix on 18.04 LTS ? it's marked rls-bb-incoming for 4 months already and there are no news since.

Since this bug is marked as "Fix Released", I did not find it in https://launchpad.net/ubuntu/+source/strongswan/+bugs

I only found now. 18.04 is still affected, so a "Fix Released" seams wrong here, at least for 18.04

I just ran into this bug also, with a fully up-to-date Ubuntu 18.04. Would be nice to have it fixed in LTS.

Status changed to 'Confirmed' because the bug affects multiple users.

Ack to Andreas re-bumping this zo high prio.
I have a PPA [1] with a test build and a MP for review [2] up.
I need to reproduce the case to define some proper SRU verification steps.

[1]: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1772705-strongswan-charon-nm
[2]: https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/375430

Clearly, affected users might be much better off to use their own tests or setups that they can re-use for this. The following just tries to come up with something a third party could re-use to test this.

0. prep a VPN server/client setup with IKEv2
I used [1] to first get a server and client setup in two VMs.
A wrapper to get this done via uvtool is attached as test-strongswan-bug-1772705.tgz
Call it like:
$ ./test.sh bionic
Once the above is up and working continue

1. Install test system
Those above are (in my case) using server images, but for Network Manager we need a Desktop.
- Download a Bionic Desktop ISO and install it into e.g. using virt-manager
- In addition to the default make the guest part of the network that the strongswan server is in

2. Make sure you have installed strongswan-nm
$ apt install strongswan-nm

3. Setup a strongswan connection, e.g. follow [2] to do so.

The actual check, when you connect to that VPN via NM the DNS servers that will be added are total garbage. Check this via e.g.:
$ nmcli dev show | grep DNS

[1]: https://code.launchpad.net/~ubuntu-security/qa-regression-testing/+git/qa-regression-testing
[2]: https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager

Uploaded to Bionic-unapproved waiting for the SRU Team.

Hello Alexander, or anyone else affected,

Accepted strongswan into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.6.2-1ubuntu2.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I usually try to self-verify, but this is a rather complex setup, I'd call to the real users affected by this bug to give the verification of the new build in proposed a try please.

Re-ping for affected users to please verify this case.
I'd really want to help you here, but one has to step up and do the verification of this fix.

If the SRU is stuck for too long without verification it will be rightfully cancelled by the SRU team :-/

I have the server side configured with ipsec.conf:

config setup
  charondebug="ike 0, enc 0, net 0"

conn %default
  keyexchange=ikev2
  mobike=no
  dpddelay=60
  dpdtimeout=180

conn lp1772705
  left=172.24.26.187
  leftcert=peerCert.der
  leftauth=pubkey
  leftsubnet=8.8.8.8/32
  right=%any
  rightsourceip=172.21.10.0/24
  rightauth=eap-mschapv2
  rightdns=1.1.1.1,1.0.0.1
  eap_identity=%any
  auto=add

With 5.6.2-1ubuntu2.4, I get random garbage as resolvers instead of 1.1.1.1 and 1.0.0.1:

<info> [1576525492.6584] vpn-connection[0x55e5c1c6c810,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 128.157.0.100
<info> [1576525492.6584] vpn-connection[0x55e5c1c6c810,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 240.14.1.80

but I still get random garbage with 5.6.2-1ubuntu2.5:

The following packages will be upgraded:
   libcharon-standard-plugins (5.6.2-1ubuntu2.4 => 5.6.2-1ubuntu2.5)
   libstrongswan (5.6.2-1ubuntu2.4 => 5.6.2-1ubuntu2.5)
   libstrongswan-standard-plugins (5.6.2-1ubuntu2.4 => 5.6.2-1ubuntu2.5)
   strongswan-charon (5.6.2-1ubuntu2.4 => 5.6.2-1ubuntu2.5)
   strongswan-libcharon (5.6.2-1ubuntu2.4 => 5.6.2-1ubuntu2.5)
   strongswan-nm (5.6.2-1ubuntu2.4 => 5.6.2-1ubuntu2.5)
   strongswan-pki (5.6.2-1ubuntu2.4 => 5.6.2-1ubuntu2.5)
   strongswan-starter (5.6.2-1ubuntu2.4 => 5.6.2-1ubuntu2.5)

<info> [1576525739.9236] vpn-connection[0x55e5c1c6c410,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 144.190.1.100
<info> [1576525739.9236] vpn-connection[0x55e5c1c6c410,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 96.221.1.100

I did multiple attempts varying rightdns= to push 1.1.1.1 and/or 1.0.0.1 but they all failed:

$ journalctl -b0 -o cat | grep 'Internal DNS'
<info> [1576525492.6584] vpn-connection[0x55e5c1c6c810,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 128.157.0.100
<info> [1576525492.6584] vpn-connection[0x55e5c1c6c810,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 240.14.1.80
<info> [1576525720.6106] vpn-connection[0x55e5c1c6c610,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 0.48.1.100
<info> [1576525720.6106] vpn-connection[0x55e5c1c6c610,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 80.83.122.160
<info> [1576525739.9236] vpn-connection[0x55e5c1c6c410,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 144.190.1.100
<info> [1576525739.9236] vpn-connection[0x55e5c1c6c410,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 96.221.1.100
<info> [1576526033.7857] vpn-connection[0x56137b6c67f0,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 0.70.3.100
<info> [1576526726.4132] vpn-connection[0x56137b6c61f0,eab8dcdd-e3a9-44b8-a3f0-fabe804d0d84,"lp1772705",0]: Data: Internal DNS: 48.107.3.100

I'm just going through my old triage backlog and saw this update. Did you update both ends of the vpn connection, server and client, and still get the incorrect dns update?

While the fix only applies to the client side, you got me questioning what I had done so I redid the test.

This time it worked with 5.6.2-1ubuntu2.5 on the client side and 5.6.2-1ubuntu2.4 on the server side. I must have forgot to restart NetworkManager or something stupid like that in my first test, sorry about that.

# Client:
sdeziel@client:~$ dpkg -l| grep strongswan-nm
ii strongswan-nm 5.6.2-1ubuntu2.5 amd64 strongSwan plugin to interact with NetworkManager
sdeziel@client:~$ journalctl -b0 -o cat | grep 'Internal DNS'
<info> [1579189524.6958] vpn-connection[0x55bc2512a300,681de60a-8347-45ce-b67a-e75f27f3325c,"lp1772705",0]: Data: Internal DNS: 1.1.1.1
<info> [1579189524.6958] vpn-connection[0x55bc2512a300,681de60a-8347-45ce-b67a-e75f27f3325c,"lp1772705",0]: Data: Internal DNS: 1.0.0.1
<info> [1579189549.2329] vpn-connection[0x55bc2512a500,681de60a-8347-45ce-b67a-e75f27f3325c,"lp1772705",0]: Data: Internal DNS: 1.1.1.1
<info> [1579189549.2330] vpn-connection[0x55bc2512a500,681de60a-8347-45ce-b67a-e75f27f3325c,"lp1772705",0]: Data: Internal DNS: 1.0.0.1
<info> [1579189590.1060] vpn-connection[0x55bc2512a700,681de60a-8347-45ce-b67a-e75f27f3325c,"lp1772705",0]: Data: Internal DNS: 1.1.1.1
<info> [1579189590.1060] vpn-connection[0x55bc2512a700,681de60a-8347-45ce-b67a-e75f27f3325c,"lp1772705",0]: Data: Internal DNS: 1.0.0.1

# Server:
root@lp1772705:~# dpkg -l| grep -w 'strongswan '
ii strongswan 5.6.2-1ubuntu2.4 all IPsec VPN solution metapackage

Thanks you Simon for coming back to this!
Looks all green int he pending-sru report - should release soon.

The verification of the Stable Release Update for strongswan has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package strongswan - 5.6.2-1ubuntu2.5

---------------
strongswan (5.6.2-1ubuntu2.5) bionic; urgency=medium

  * d/p/lp-1772705-charon-nm-Fix-building-list-of-DNS-MDNS-servers-with.patch:
    fix charon-nm pushing random DNS servers (LP: #1772705)

 -- Christian Ehrhardt <email address hidden> Tue, 12 Nov 2019 12:32:51 +0100